Heimdal

I’ve been cleaned up the new compiler to make it cause less warnings on many platforms. There was less things to fix then I expected, but some LP64 bugs where in there. Signedness warnings from gcc 4 was very helpful. I need to go over the code again with more warnings turned on.

To the topic of today, IMPLICIT (and AUTOMATIC) tagging. Implicit tagging is a space saving optimization. It allows you to save one complete tag (or, not very common, several tags).

If you define a element like this:

[1] IMPLICIT OCTET STRING

It will encoded on wire in BER as

[CONTEXT PRIM 0] [length 1] [ F ]

I have marked each of the bytes with square brackets. If the specfication was using EXPLICIT instead, it would instead have been encoded like this, with a total saving of 2 bytes:

[CONTEXT CONS 0] [length 3] [UNIV PRIM Integer ] [ length 1 ] [ F ]

Why it this a problem, saving bytes are good, right ? Yes, saving bytes are good, but the amount of complexity in the compiler is not worth it, especially for AUTOMATIC tagging where the compiler figure out where to put tags. And no less for the humans trying to read it, it’s just too much. Thera are only so many features that the poor developer should need to handle at the same time. Information object model, paramerized types, etc, this is just another way from ITU to make sure the poor developers explode when they read about this.

So can Heimdal’s ASN.1 compiler handle this yet ? No, not yet, but since its used on LDAP and X.509, I’ll get around to fixing it some day soon. The problem is that there are no pretty way of fixing it. Either more generated functions, or breaking the API/ABI. If we compiled to byte-code, it might be easier to handle this (because it could just skip all tags until it got to a primitive type or constructed type.

There is a work-around, inline all of the content into the structure. Basicly don’t reference external types for tags where IMPLICIT tagging enviroment used.

Int ::= INTEGER
Broken ::= SEQUENCE {
b[0] IMPLICIT Int
}
Working ::= SEQUENCE {
w[0] IMPLICIT INTEGER
}

This is very clumsy when you have to inline larger structures, also the code handling this gets all broken since there is no way to reference intermediate types.

Technorati tag: Heimdal

Yesterday I commited the new ASN.1 compiler to Heimdal.Highlighs for the compiler is support for CHOICE and in general better support for tags. This compiler support most of what is needed for PK-INIT, LDAP, X.509, PKCS-12 and many other protocols.

Now I can add lots of neat extentions to the database, and support PK-INIT. The last two weeks I’ve read over the code and written more regression tests. Creating DER data to test the compiler was very boring, I only wrote the primitive types, when I got the the constructed types, I wrote a tool to help me instead. Using the tool suddenly it was very easy to create DER ata.

$ cat test.gen
UNIV CONS Sequence 23
CONTEXT CONS 0 3
UNIV PRIM Integer 1 01
CONTEXT CONS 1 8
UNIV CONS Sequence 6
CONTEXT CONS 127 3
UNIV PRIM Integer 1 01
UNIV PRIM Integer 1 01
CONTEXT CONS 2 3
UNIV PRIM Integer 1 01
$ asn1_gen test.gen
line:   5 offset:   0 class: 0 type: 1 tag:  16 length:  23
[....]
line:  14 offset:  22 class: 0 type: 0 tag:   2 length:   1
line: eof offset: 25
$ asn1_print test.gen.out
UNIV CONS Sequence = 23 bytes {
CONTEXT CONS tag 0 = 3 bytes [0]
UNIV PRIM Integer = integer 1
CONTEXT CONS tag 1 = 8 bytes [1]
UNIV CONS Sequence = 6 bytes {
CONTEXT CONS tag 127 = 3 bytes [127]
UNIV PRIM Integer = integer 1
}
UNIV PRIM Integer = integer 1
CONTEXT CONS tag 2 = 3 bytes [2]
UNIV PRIM Integer = integer 1
}

PK-INIT have gotten iself a push lately, it might be ready for WG-LC after Paris IETF meeting, that is great progress. Then maybe we can get Kerberos extentions out the door.

So the last couple of days I’ve spend at my cousins house in Laguna Hills, CA, USA. Very nice, hacking Heimdal next to the pool in the sun.

I’ve merged in Andrew Bartlett’s code for libkdc from Lorikeet, it was two days of work, much changes that needs to adapted to the rest of the style in Heimdal and remove part of the patch that we can’t accept yet.

Now I’m working on mergeing in the new ASN.1 compiler that Johan started on and I have cleaned up and started to use in PK-INIT. Currently I’m adding more regression test for failure cases, I would like to see more generated testes, it should really be an integral part of the compiler.

The compiler is needed for both the HDB extentions and I would like to see Lukes new SPNEGO code use it. Hopefully I’ll be done by the time I get to Boston next week.